FREQUENTLY ASKED QUESTIONS

Issue:When installing rDirectory and myPassword you may be required to modify the ISAPI and CGI restrictions in IIS to allow .NET 4 extensions. Attempting to open either website before allowing these extensions will result in the following error:

HTTP Error 404.2 - Not Found The page you are requesting cannot be served because of the ISAPI and CGI Restriction list settings on the Web Server. Error Code: 0x800704ec

Procedure:To enable .NET 4 extensions in IIS7:

Open the IIS Manager and select the IIS Server instance to be modified.

In the right pane, double click ISAPI and CGI Restrictions, located under the IIS group.

Right-click the entry ASP.NET v4.0.30319 and select Allow from the menu.

Repeat for any additional .NET v4 extensions that may be present.

Restart IIS by right-clicking the IIS server instance, selecting Stop and then selecting Start when available.

This error typically occurs following a new installation on a member server where Domain Users have not been granted access in the Local Security Policy of the server. This logon right determines which users can interactively log on to the computer&hellip.

Symptom:A domain user attempts to use myPassword to change, reset, unlock or edit the Password reset profile. When the user enters his credentials, this message appears:

Solution:This error typically occurs following a new installation on a member server where Domain Users have not been granted access in the Local Security Policy of the server. This logon right determines which users can interactively log on to the computer.

Resolve this problem by adding the Domain Users group to the Allow Log on locally policy in the User Rights Assignment security setting using the following steps:

Symptom:The GINA/Credential Provider has been deployed according to the documentation using Group Policy, but the login prompt link does not appear in the login box.

Solution:There can be several reasons for this problem.

First, check the URL for your rDirectory/myPassword website that you entered into the ADM template settings. You should be able to press Start | Run, then paste your URL into the dialog box.

If it does not launch the website, then the URL is likely malformed. When you can launch the website using this test, copy the successful URL into the ADM template settings on the Group Policy and force an update.

Sometimes Group Policy does not deploy to all workstations, so you should review the Applications or Policy event log on the workstation to investigate why it did not deploy. Below are some possible explanations:

Sometimes, the location for the software package cannot be accessed.

If deploying to an XP Professional machine, there is a default "Fast Boot" switch that allows a user to authenticate before Group Policy has completed processing. Typically, a second reboot will resolve this problem.

The policy is not linked to a container. You must link a policy to a container in order for it to process against the objects in the container.

Issue:How do we know which users have set-up their Password Reset Profile? myPassword does not provide this information.

Solution:Use joBot's Account Module, you can configure the "Empty Attribute" job to run a report on myPassword's Password Reset Profile Questions and Answers.

Don't try to read the value of this attribute, it's encrypted on purpose. However, you can create the report in joBot and automatically email users that have not completed their profile.

NOTE: This requires having purchased the Account Check Module for joBot.

Here's How:

Launch the joBot Manager and highlight an agent in the agent list pane.

From the toolbar, select Actions | New Job. This opens a Select Job Type window.

From Available Job Types, expand Accounts and highlight Empty Attribute Notification; click on the OK button.

The Job Configuration window is displayed. Give your new job a relevant name, such as “Password Reset Profile Not Complete.”

In the middle section, labeled Status, click the Change link to access the Job Recurrence scheduling page. Set your desired pattern and range for how often you want the job to run. Click OK when finished.

Back on the Job Configuration window, click on the Click here to change job configuration settings link at the bottom.

The Empty Attribute Notification Criteria tab will appear and will begin scanning your Schema for relevant attributes. When completed, you can select an attribute in the Empty Value for Attribute window. Click on the drop-down and select TeletexTerminalIdentifier.

You can select a radio button to limit the search location by Directory, or by specified container.

On the Email tab, identify your email server, then select to notify the user, and/or send a list to a specified target address.

If you want, you can also create and save a report on the Report tab.

Once you have finished this configuration, just click OK twice to save your new job. The new job now appears in the job status list.

You can launch the job immediately by right-clicking the job, Or, you can just let it run based on the schedule selection. When the job runs based on your configuration, users and others can be notified if they have not completed their password reset profile.

The v.3.1 release of rDirectory includes a new method to ensure users update their Active Directory information. The previous versions of Enforced Data Integrity and the ProfileValidator will now work with the new Certify and Validate forms with some minor configuration changes.

Here’s how to enable the Validate and Certify functionality:

If you are upgrading from v.2.0 of rDirectory and ProfileValidator, there are a couple of configuration changes that must be made in order for the ProfileValidator to work.

First, open the Designer menu and change to Components | Forms. When you make changes to your edit form, you will see a new Tasks tab:

Check the boxes to enable the Validate Data and Certify Information tasks. You can modify the prompt messages if you want, and each task has a required or optional radio-button setting.

For Certify Tasks, you also need to set a "re-certify" period. This defines in days how often you expect users to certify the requested data. This value is stored in an unused attribute that you select.

Be very careful about which attribute you choose, because if there is any data already stored there, it will be overwritten. Please refer to the online Help topic Components | Forms Tab | Detail Form Editor for more information about selecting the Certify-Stamp attribute.

You can also configure email notifications here for any validate or certify events; however, you must create the email policy first.

This should be all of the requirements needed to complete the upgrade for the ProfileValidator. For more information on the Validate Data and Certify Tasks configuration, please review the documentation included with the upgrade/download files.

Give the new job a name, (e.g., Clear PW Reset Profile) so that you know what it is supposed to do, then click the Change link to set the recurrence:

In this case, we set the recurrence to every 90 days. Click OK to save this setting.

On the Job Configuration window, if you choose the Click here to change job configuration settings option, you can customize this job to send reports when it completes, or even email notifications.

NOTE: The teletexTerminalIdentifier is automatically selected. This is the default attribute that stores the Password Reset Profile. You can select this option if you want to run the job against a specific container, or the entire directory, as well as enabled or disabled users (or both). Once you finish this configuration, simply click OK twice and the job is added to the task list.

The symptom:myPassword v3.2 now includes the ability to create a SQL database for tracking user activity with myPassword. It is possible to use an existing installation of SQL and simply create a new database; or, if you do not have SQL server installed, the setup includes a link to the SQL Server Express download page- a free version that allows you to set up a database instance.

Sometimes when running this install, it is possible to encounter the Unhandled Exception in .Net. Please note, this is an SQL error, not an rDirectory/myPassword error; however, we have found the solution and can resolve this problem.

The Restricted Access Account is designed for myPassword when it is not possible to use the GINA or Credential Provider. This configuration allows you to create a locked-down account in Active Directory that is controlled by a Group Policy, restricting access to the myPassword page from the login.

This creates a well known account where users can login when they have forgotten their password. Using this login, users are able to reset the password for their personal account.

Traditionally, we have deployed an .ADM template file that configures the URL path and a message for the user describing how to login with the Restricted Access Account. Unfortunately, this .ADM template does not apply to Windows Vista or 7 machines, as these machines do not use a GINA - they use a Credential Provider instead.

If you want to use the Restricted Access Account on a Windows 7 or Vista machine, it is still possible. You can configure the desktop to display an informational message instructing users on how to login.

Here's how...

Configure the Restricted Access Account Group Policy as described in the Installation and Setup myPassword Optional Features document. You will need the template settings that apply to the URL that is assigned to the restricted user container.

Depending on how many Windows Vista or 7 machines you have, you can either configure the settings manually in the Local Security Policy, or you can configure the settings in the Default Domain Group Policy and have the settings deployed to all machines.NOTE: The policy settings are the same whether you do it locally or via Group Policy - you just get to the policies differently.

Issue:How do we know which users have set-up their Password Reset Profile?

Solution:Use joBot's Account Check Module, you can configure the "Empty Attribute" job to run a report on myPassword's Password Reset Profile Questions and Answers.

Don't try to read the value of this attribute, it's encrypted on purpose. However, you can create the report in joBot and automatically email users that have not completed their profile.

NOTE: This requires having purchased the Account Check Module for joBot.

Here's how:

Launch the joBot Manager and highlight an agent in the agent list pane.

From the toolbar, select Actions | New Job. This opens a Select Job Type window.

From Available Job Types, expand Accounts and highlight Empty Attribute Notification; click on the OK button.

The Job Configuration window is displayed. Give your new job a relevant name, such as “Password Reset Profile Not Complete.”

In the middle section, labeled Status, click the Change link to access the Job Recurrence scheduling page. Set your desired pattern and range for how often you want the job to run. Click OK when finished.

Back on the Job Configuration window, click on the Click here to change job configuration settings link at the bottom.

The Empty Attribute Notification Criteria tab will appear and will begin scanning your Schema for relevant attributes. When completed, you can select an attribute in the Empty Value for Attribute window. Click on the drop-down and select TeletexTerminalIdentifier.

You can select a radio button to limit the search location by Directory, or by specified container.

On the Email tab, identify your email server, then select to notify the user, and/or send a list to a specified target address.

If you want, you can also create and save a report on the Report tab.

Once you have finished this configuration, just click OK twice to save your new job. The new job now appears in the job status list.

You can launch the job immediately by right-clicking the job, Or, you can just let it run based on the schedule selection. When the job runs based on your configuration, users and others can be notified if they have not completed their password reset profile.

No, rDirectory comes pre-configured with web-based Employee Directory applications that can be used within minutes of installation. You can choose to use them, tailor them or even create your own web-based applications from scratch. Your rDirectory Designer can create custom applications for finding, browsing, viewing, and editing virtually any information and data type available in your Active Directory. rDirectory does not require schema extensions, yet it allows you to easily take advantage of any schema extensions you make. The standard Active Directory schema already defines nearly 200 object types and 1000 attributes that rDirectory supports.

rDirectory uses native Active Directory security to control who can logon, what applications and information they can access, and if editing is allowed by an application, what the user can change. Role-based menus also enable targeted functionality for different audiences.

rDirectory offers three authentication modes and also allows for several combinations depending upon the configuration that best suits your needs. With the Windows Integrated mode, there is no need to explicitly logon to rDirectory - the application automatically picks up a user's Windows logon credentials. With Forms authentication, users logon at least once to rDirectory; however, a cookie can be set to pick up the user's log-on information automatically for future use. The third logon method is for Anonymous access to rDirectory. This mode establishes default credentials for everyone who accesses the directory with rDirectory - no logon is needed. Anonymous mode allows users to search for and display information, but not edit it.

Anonymous mode is useful when you want to provide limited access to directory information (e.g. outfacing applications), or you do not want to require a Client Access License (CAL) for each user searching the directory. For example, you may choose to have public search capability on your website or to establish a lobby kiosk where visitors can locate the phone extension or office location of the person they are visiting.

Finally, rDirectory allows for a combination of the basic authentication modes – Anonymous plus Forms and Windows Integrated plus Forms. These hybrid modes allow users to temporarily logon with another identity. For example, a lobby kiosk using Anonymous plus Forms would allow visitors to search for public information, yet employees could logon to access menus and applications only available internally.

Role-based menus are available with rDirectory Enterprise edition. They provide the capability to create special applications only certain people within your organization may access. For example, you may wish to establish an application accessible only by security guards, receptionists, or certain levels of managers.

The role-based menu is organized with designated groups, and specified menu items within those groups. A directory role can be associated with both menu groups and menu items, thereby acting as an information access filter. This important feature allows you to develop applications for specific audiences within your organization. Conversely, if there is no role associated with a group or item, everyone in your organization will have access to that application.

Yes, with rDirectory Professional and Enterprise editions, users are empowered to edit information, but you and Active Directory are always in control of what they can do. First, you select which attributes you will allow each application to edit. If the user has rights in Active Directory, they will be allowed to edit those attributes. Attributes that they do not have rights to edit are removed from the edit page automatically, and if they do not have rights to edit any of the attributes configured as editable in the application, the edit button is also removed.

Yes, rDirectory's Enterprise Edition is highly flexible and give you control over every aspect of each appplication. Using simple fill-in templates, you can define which objects are searched, and which attributes are used in the Search, Results, Detail and Edit sections for each application. With the role-based menu, you even control who has access to use specific applications.